Comments on: Which? survey of online banking security http://www.lightbluetouchpaper.org/2009/09/03/which-survey-of-online-banking-security/ Security Research, Computer Laboratory, University of Cambridge Fri, 10 Feb 2012 17:31:40 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: alex kent http://www.lightbluetouchpaper.org/2009/09/03/which-survey-of-online-banking-security/comment-page-1/#comment-205155 alex kent Fri, 02 Dec 2011 22:40:53 +0000 http://www.lightbluetouchpaper.org/?p=1234#comment-205155 hi, could you elaborate on what a '4P login' refers to? this is an interesting article. i'm currently writing a short paper on user behaviour in relation to security for online banking. the perspective you suggest - that the complexity and overhead this entails for the user can be avoided (or is worthless) if sufficient smarts are applied to monitoring and automatically blocking transactions which appear abnormal - is certainly interesting in the context of my research. i suppose we end up back at Security Theatre. alex. hi,
could you elaborate on what a ‘4P login’ refers to?

this is an interesting article. i’m currently writing a short paper on user behaviour in relation to security for online banking. the perspective you suggest – that the complexity and overhead this entails for the user can be avoided (or is worthless) if sufficient smarts are applied to monitoring and automatically blocking transactions which appear abnormal – is certainly interesting in the context of my research. i suppose we end up back at Security Theatre.

alex.

]]> By: Matthew Pemble http://www.lightbluetouchpaper.org/2009/09/03/which-survey-of-online-banking-security/comment-page-1/#comment-33532 Matthew Pemble Tue, 08 Sep 2009 08:25:41 +0000 http://www.lightbluetouchpaper.org/?p=1234#comment-33532 The fraud figures for individual banks are, indeed, collected by APACS but are only shared with the banks in aggregate - unless you stumble across information in the pub or in relation to a specific incident, you may know who is doing particularly well or spectacularly badly but you won't have hard data on anybody other than yourselves. I was an ineffective proponent of requiring CAP at log-in (or, at least, allowing the customer to choose) or limiting the transactions available on a 4P login. Unfortunately, this was not popular with the customer groups (in fact, the whole card reader thing was massively unpopular) and was not implemented in my time (and is still not there). The bandwidth available with CAP is very poor so the effort has gone in to attacking the most vulnerable stages of the fraud - the transfer of the money from the initial victim's bank (not necessarily their bank account) and the subsequent transfer out of the UK banking system. Unfortunately, successes in these areas don't lend themselves well to headline nor to uninformed external analysis. A change in the law to the American model, where liability is clearly with the banks, is something Ross has been campaigning for for years and is long overdue. On the other hand, we should not conflate the necessity for "security breach reporting" with a desire for more information on fraud - the two are very different. The fraud figures for individual banks are, indeed, collected by APACS but are only shared with the banks in aggregate – unless you stumble across information in the pub or in relation to a specific incident, you may know who is doing particularly well or spectacularly badly but you won’t have hard data on anybody other than yourselves.

I was an ineffective proponent of requiring CAP at log-in (or, at least, allowing the customer to choose) or limiting the transactions available on a 4P login. Unfortunately, this was not popular with the customer groups (in fact, the whole card reader thing was massively unpopular) and was not implemented in my time (and is still not there).

The bandwidth available with CAP is very poor so the effort has gone in to attacking the most vulnerable stages of the fraud – the transfer of the money from the initial victim’s bank (not necessarily their bank account) and the subsequent transfer out of the UK banking system. Unfortunately, successes in these areas don’t lend themselves well to headline nor to uninformed external analysis.

A change in the law to the American model, where liability is clearly with the banks, is something Ross has been campaigning for for years and is long overdue. On the other hand, we should not conflate the necessity for “security breach reporting” with a desire for more information on fraud – the two are very different.

]]> By: Clive Robinson http://www.lightbluetouchpaper.org/2009/09/03/which-survey-of-online-banking-security/comment-page-1/#comment-33468 Clive Robinson Sun, 06 Sep 2009 22:12:35 +0000 http://www.lightbluetouchpaper.org/?p=1234#comment-33468 Steven, I regard Barclays as the best of a very bad bunch, and very far from Which?'s given rating of excellent. Few if any banks actually authenticate the transaction in any meaningful way, and none that I'm aware of come even close to doing it properly. My advise to people is, If your bank or building society offer you Internet Banking read the small print on who's liable, then tell them no thank you. If they add it to your account as a default or as a courtesy, change bank as fast as you possibly can. It has been known for something like ten years what is needed in principle if not practice but the banks appear not to get it (or don't want to). Steven,

I regard Barclays as the best of a very bad bunch, and very far from Which?’s given rating of excellent.

Few if any banks actually authenticate the transaction in any meaningful way, and none that I’m aware of come even close to doing it properly.

My advise to people is,

If your bank or building society offer you Internet Banking read the small print on who’s liable, then tell them no thank you. If they add it to your account as a default or as a courtesy, change bank as fast as you possibly can.

It has been known for something like ten years what is needed in principle if not practice but the banks appear not to get it (or don’t want to).

]]>